1. Introduction

The Bill and referral

1.1
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill) was introduced into the House of Representatives by the Hon Karen Andrews MP, Minister for Home Affairs, on 10 February 2022.
1.2
In her second reading speech Minister Andrews identified the need for the measures contained in the Bill as the next phase of critical infrastructure security in Australia:
Critical infrastructure is increasingly interconnected and interdependent. These interconnections deliver efficiencies and economic benefits to all Australians. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or even inadvertently cause disruption and result in cascading consequences across our economy, our security and our sovereignty.
Threats ranging from natural hazards, such as extreme weather events, through to human induced threats like foreign interference, cyberattacks and trusted insiders all have the potential to significantly disrupt critical infrastructure. Recent incidents such as the December 2021 Log4j vulnerability, compromising systems in Australia and across the globe, as well as the impacts of COVID-19, illustrate that threats to the operation of Australia's critical infrastructure continue to be significant and far-reaching.
It is a regrettable fact that malicious threat actors continue to target the infrastructure that underpins the provision of essential services that all Australians rely on. The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic not just to our economy, security and sovereignty but the Australian way of life.1
1.3
The SLACIP Bill is the second Bill introduced as a result of the Committee’s Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.2
1.4
The first Bill as a result of that report was enacted as the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act):
In the passage of the Security Legislation Amendment (Critical Infrastructure) Act 2021, known as the SLACI Act, the government addressed recommendations 1 through 5, 10 and 14 of the advisory report in order to legislate the measures of highest criticality to protecting the security of Australian critical infrastructure in the shortest possible time. The SLACI Act has implemented key elements of the framework by introducing mandatory cyberincident reporting and government assistance to relevant entities in response to significant cyberattacks that impact Australia's critical infrastructure assets.3
1.5
The second Bill, the SLACIP Bill being reviewed, was developed in consultation with industry and through an exposure draft process, in line with recommendations from the Committee, over the October 2021 to February 2022 period.
1.6
The SLACIP Bill proposes the two remaining substantive elements of the proposed critical infrastructure framework, as identified by the Minister:
Firstly, the requirement to have, comply with, review and update a risk management program. The risk management program asks critical infrastructure entities to identify material risks that could have an impact on the critical infrastructure asset and, as far as reasonably practicable, minimise, eliminate or mitigate the risk from occurring.
The bill proposes that the risk management program is reported to a critical infrastructure assets board, council or governing body. This ensures that the material risks in the functioning of the asset are reported and raised with the most senior levels of critical infrastructure assets.
The risk management program requirement is designed to be incorporated into the existing risk management arrangements. If a critical infrastructure asset looks at and indeed, I hope, exceeds the requirements in the risk management program rules, then this is suitable for fulfilling the obligation. This obligation is meant to be additive to, as well as the least and lightest regulatory impact. Ensuring that there is appropriate risk management in place, such as for cyber and information security, physical and natural hazards, and personnel risks, is increasingly important given the interconnected nature of Australia's critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security and sovereignty.
Second, there are some critical infrastructure systems and networks that are so vital, interconnected and of such national significance to the functioning of Australian society, defence or security that, if they were subject to a cyber attack, it would cause disproportionate consequences. The bill sets out criteria for the declaration of a system of national significance. The focus is on identifying critical infrastructure assets that are of national significance, noting interdependencies across key sectors in the economy and consequences should the asset be impacted.
These reforms will mean that not only will we be able to respond in times of crisis, we will also have legislation in place that assists in mitigation of the chances of a crisis emerging in the first place. In line with this objective, the SLACIP bill implements recommendations 7, 8 and 9 of the committee's advisory report.
The SLACIP bill also enables the government to work with industry to strengthen the cyber[-]preparedness and resilience of entities that operate assets of the highest criticality to Australia's national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.
The enhanced cybersecurity obligations will support a bespoke outcomes-focused partnership between government and Australia's most critical infrastructure asset operators, and will build an aggregated threat picture and understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry.4
The SLACIP Bill’s Explanatory Memorandum (EM) summarises the SLACIP Bill’s reforms as:
…the Government seeks to implement the remaining elements of the enhanced regulatory framework in a further bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Bill), which gives effect to this framework by introducing:
critical infrastructure risk management programs for critical infrastructure assets (proposed Part 2A of the SOCI Act); and
enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance (proposed Parts 2C and 6A of the SOCI Act).
These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy and an expanded Trusted Information Sharing Network. This will include a range of activities that will improve the collective understanding of risk between Government and industry, and within and across industry sectors.5
1.7
On the same day as its introduction into the House of Representatives, the Minister wrote to the Committee to refer the provisions of the SLACIP Bill to the Committee for inquiry and report, fulfilling Recommendation 8 of the Committee’s Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (SOCI Bill Report).6
1.8
The referral also requested that the Committee report to the Parliament by 25 March 2022 to enable the passage of the Bill in the Autumn 2022 sittings and before the dissolution of the 46th Parliament.
1.9
Debate on the SLACIP Bill in the House of Representatives was conducted on 16 February 2022 and the Bill progressed through the second and third readings without amendment on that day.

Conduct of the inquiry

1.10
The Committee resolved to undertake an inquiry into the SLACIP Bill in the terms requested by the Minister, and launched the inquiry on 11 February 2022, with details uploaded to the Committee’s website at www.aph.gov.au/pjcis.
1.11
Submissions were invited addressing any and all aspects of the Bill by the close of business 1 March 2022, to enable the Committee to undertake the inquiry and review in the requested timeframe.
1.12
To aid submitters, the Committee posed five questions regarding areas of focus to guide submission direction, given the short submission timeframe. The five questions were:
1
Did you provide feedback on the exposure draft and do you feel like consultation was inclusive and wide-ranging?
2
Has your feedback been incorporated in the Bill or addressed in explanatory material?
3
What are your five key themes of feedback on the Bill?
4
Do you think the potential regulatory impact has been captured accurately?
5
On balance, do you support the Bill in its presented form, recognising the risks facing critical infrastructure assets in Australia?
1.13
The Committee received 48 public submissions, five supplementary submissions, two confidential submissions and one confidential attachment. A list of submissions can be found at Appendix A.
1.14
The Committee held one public hearing on 16 March 2022, comprised of government and industry stakeholder witnesses. A list of witnesses who appeared at the hearing can be found at Appendix B.
1.15
The Committee also received private and classified briefings from the Department of Home Affairs (the Department) and the Australian Signals Directorate (ASD) prior to the SLACIP Bill’s introduction, updating the Committee on the ongoing evolution of the threat environment and the consultation that had been undertaken in developing the Bill into its introduced form.
1.16
Copies of submissions, a transcript of proceedings from the public hearing7 and links to the SLACIP Bill and Explanatory Memorandum can be accessed from the inquiry webpage.8

Report structure

1.17
The report consists of three chapters:
This chapter sets out the context and conduct of the inquiry and briefly summarises the Committee’s consideration of previous critical infrastructure legislation prior to the SLACIP Bill;
Chapter 2 provides a brief outline of the SLACIP Bill, the context of its introduction, an analysis of the responses to the Committee’s recommendations from the SOCI Bill Report, the consultation processes undertaken by the Department, and the main themes of evidence received in this review; and
Chapter 3 sets out the Committee’s comments on the Bill and its recommendations.

Critical infrastructure legislative framework evolution

1.18
The legislative framework that has been evolving around the security of critical infrastructure in Australia derives from a sovereign necessity to ensure that the most essential services and assets that provide the economic and community stability that Australia enjoys are protected.
1.19
National security priorities have always supported and protected these assets from the threat of espionage, sabotage, and foreign interference, but it is only within the last decade that the Australian Government has taken a deliberate statutory role in guiding and supporting providers to ensure that security.

Telecommunications security

1.20
Amendments to Part 14 of the Telecommunications Act 1997, known as the Telecommunications Sector Security Reforms (TSSR) were the first formal response in legislation to create obligations for a targeted critical infrastructure sector to secure assets for the security of the nation.
1.21
The TSSR reforms recognised the crucial role that telecommunications and carriage service providers have in supporting the fabric of Australia’s society and economy.
1.22
The Committee reviewed the Telecommunications and Other Legislation Amendment Bill 2016, which gave effect to the TSSR, and tabled its advisory report on 30 June 2017, giving rise to the TSSR regime that has been the cornerstone of critical infrastructure security since then.
1.23
The Committee reviewed the operation of the TSSR in a statutory review undertaken in this Parliament, in tandem with the SOCI Bill review outlined below, delivering a report on that review on 7 February 2022 – outlining six recommendations identified as improvements to that sector’s security regime.

Security of Critical Infrastructure Act 2018

1.24
The Security of Critical Infrastructure Act 2018 (SOCI Act) was enacted following a PJCIS review of the Security of Critical Infrastructure Bill 2017, that was introduced on 7 December 2017 into the Senate by Senator the Hon Mathias Cormann, the then Minister for Finance and Deputy Leader of the Government in the Senate.
1.25
The 2017 Bill was introduced to establish three measures to ‘…protect Australia from the national security threats of sabotage, espionage and coercion stemming from malicious foreign involvement in our critical infrastructure’9, those measures being:
the creation of the Register of Critical Infrastructure Assets – to record who owns and operates critical infrastructure assets;
information gathering powers – to enable gathering of information on top of that provided for registration purposes, in certain circumstances; and
directions powers - the ability to intervene and issue directions to asset operators in cases where there are significant security concerns that cannot be addressed through other means.
1.26
The SOCI Act in its original form was a formalisation of the expansion of measures to ensure that critical infrastructure assets are recognised, managed and protected by the entities, in partnership with government. Minister Cormann outlined the importance of foreign investment in critical infrastructure, but also the need for the SOCI Act during the Bill’s introduction:
Foreign involvement in Australia's critical infrastructure plays an important and beneficial role in supporting economic growth. It can also improve productivity by enabling the development of much-needed infrastructure, introducing new technology, allowing access to global supply chains and markets, and enhancing Australia's skills base.
However, while recognising its many benefits, increasing foreign involvement in our national critical infrastructure means that Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
Foreign involvement can increase a malicious actor's ability to access and control Australia's critical infrastructure. Such access could enable them to target activity in a way that can affect the continuity of services to citizens, as well as having extreme consequences for other dependant infrastructure or defence assets.10
1.27
The Committee made ten recommendations regarding the 2017 Bill and the issue of critical infrastructure, fuel security, data security and access, and guidelines for affected entities.11 The Bill was amended in line with the Committee’s recommendations and passed Parliament on 28 March 2018, gaining royal assent on 11 April 2018. One of those recommendations was for the Committee to review the operation, effectiveness and implications of the Act’s reforms three years after the Act came into force.

Statutory review and Security Legislation Amendment (Critical Infrastructure) Bill 2020

1.28
On 10 December 2020 the then Minister for Home Affairs, the Hon Peter Dutton MP, introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the SOCI Bill) to the House of Representatives. That Bill was referred to the Committee by the then Attorney-General, the Hon Christian Porter MP, for inquiry and review, as well as an early commencement of the statutory review of the SOCI Act.
1.29
The Committee commenced these reviews on 21 December 2020, noting the concurrent status of the Bill review along with the statutory review, as well as the already underway review of the TSSR.
1.30
The SOCI Bill had been the subject of discussion paper and exposure draft consultation by the Department prior to its introduction, but as the Committee’s reviews progressed, the evidence from industry stakeholders highlighted some key areas for Committee consideration:
a majority of stakeholders felt that consultation had been inadequate;
the regulatory impact of the Bill, and the associated rules, was unknown and unquantifiable;
the breadth of some sector definitions was concerning;
Government assistance powers were potentially intrusive, and the unknown scope and impact of proposed declarations of Systems of National Significance (SoNS) were concerning; and
other immunities and the scope of granted Ministerial and Secretarial powers were of concern.12
1.31
As a result of these concerns, balanced with the assertions that the risk of cyber-enabled threats to critical infrastructure was too high to delay the entire Bill, the Committee delivered its advisory report on both reviews on 29 September 2021. This report included 14 recommendations in relation to the Bill, including proposing a split in the proposed framework into two amended Bills:
Bill One for rapid passage – to expand the critical infrastructure sectors covered by the Act, introduce government assistance measures to be used as a last resort in crisis scenarios, as well as mandatory reporting obligations; and
Bill Two for further consultation – including declarations of systems of national significance, enhanced cyber-security obligations and positive security obligations which are to be defined in delegated legislation.
1.32
Bill One became the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (SLACI Bill), which gained Royal Assent in December 2021 becoming the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act).
1.33
Bill Two is the SLACIP Bill that is the subject of this report.

Statutory review of the operation of the SLACI Act

1.34
Recommendation 8 of the Committee’s SOCI Bill report outlined:
The Committee recommends that Bill Two be amended in consultation with key stakeholders, released for feedback and with further consultation on incorporated amendments based on that feedback, prior to being reintroduced to Parliament.
Once reintroduced, Bill Two should be referred to the Parliamentary Joint Committee on Intelligence and Security for review, with a concurrent review of the operation to date of the amendments to the Security of Critical Infrastructure Act 2018 resulting from Bill One.
1.35
The referral for the SLACIP Bill has been made in accordance with this recommendation, however the Committee is not proposing to undertake the review of the operation of the amendments from the SLACI Act resulting from the implementation of Bill One, for a number of reasons.
1.36
Firstly, the requested timeframe for the Bill review does not allow for the depth of analysis required for such a review.
1.37
Secondly, the SLACI Act has only been in force for less than four months, and will ultimately be affected further by the implementation of the proposed reforms from the SLACIP Bill. The timeframe envisaged by the Committee in making Recommendation 8 of the SOCI Bill Report was longer than has been the reality for the introduction of the SLACIP Bill.
1.38
Finally, the Committee will make further comment and recommendations regarding the implementation and review of the operation, effectiveness and implications of the SOCI Act as a whole later in this report.


 |  Contents  |